malice-yara

Malice Yara Plugin

This repository contains a Dockerfile of the Yara malice plugin malice/yara.

Dependencies

malice/alpine

Image Tags

REPOSITORY          TAG                 SIZE
malice/yara         latest              51.9MB
malice/yara         0.1.0               51.9MB
malice/yara         neo23x0             51.3MB

NOTE: tag neo23x0 contains all of the signature-base rules

Installation

Install Docker.
Download trusted build from public DockerHub: docker pull malice/yara

Usage

docker run --rm -v /path/to/rules:/rules:ro malice/yara:neo23x0 FILE

Or link your own malware folder

$ docker run -v /path/to/malware:/malware:ro -v /path/to/rules:/rules:ro malice/yara:neo23x0 FILE

Usage: yara [OPTIONS] COMMAND [arg...]

Malice YARA Plugin

Version: v0.1.0, BuildTime: 20180902

Author:
  blacktop - <https://github.com/blacktop>

Options:
  --verbose, -V          verbose output
  --elasticsearch value  elasticsearch url for Malice to store results [$MALICE_ELASTICSEARCH_URL]
  --callback, -c         POST results to Malice webhook [$MALICE_ENDPOINT]
  --proxy, -x            proxy settings for Malice webhook endpoint [$MALICE_PROXY]
  --table, -t            output as Markdown table
  --timeout value        malice plugin timeout (in seconds) (default: 60) [$MALICE_TIMEOUT]
  --rules value          YARA rules directory (default: "/rules")
  --help, -h             show help
  --version, -v          print the version

Commands:
  web   Create a Yara web service
  help  Shows a list of commands or help for one command

Run 'yara COMMAND --help' for more information on a command.

This will output to stdout and POST to malice results API webhook endpoint.

Sample Output

JSON

{
  "yara": {
    "matches": [
      {
        "Rule": "APT30_Generic_7",
        "Namespace": "malice",
        "Tags": null,
        "Meta": {
          "author": "Florian Roth",
          "date": "2015/04/13",
          "description": "FireEye APT30 Report Sample",
          "hash0": "2415f661046fdbe3eea8cd276b6f13354019b1a6",
          "hash1": "e814914079af78d9f1b71000fee3c29d31d9b586",
          "hash2": "0263de239ccef669c47399856d481e3361408e90",
          "license": "https://creativecommons.org/licenses/by-nc/4.0/",
          "reference": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
          "super_rule": 1
        },
        "Strings": [
          {
            "Name": "$s1",
            "Offset": 29824,
            "Data": "WGphcG9yXyphdGE="
          },
          {
            "Name": "$s2",
            "Offset": 29848,
            "Data": "WGphcG9yX28qYXRh"
          },
          {
            "Name": "$s4",
            "Offset": 29864,
            "Data": "T3VvcGFp"
          }
        ]
      }
    ]
  }
}

FILTERED Output JSON:

$ cat JSON_OUTPUT | jq '.[][][] .Rule'

"_Microsoft_Visual_Cpp_v50v60_MFC_"
"_Borland_Delphi_v60__v70_"
"_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_"
"_Free_Pascal_v106_"
"_Armadillo_v171_"

| Rule | Description | Offset | Data | Tags | | ----------------- | --------------------------- | -------- | ----------------------- | ---- | | APT30_Generic_7 | FireEye APT30 Report Sample | 0x7480 | "Xjapor_*ata" | [] |

NOTE: Data truncated to 25 characters

Documentation

TODO

[ ] add rules (tagged?) from https://github.com/Yara-Rules/rules
[x] add rules (tagged?) from https://github.com/Neo23x0/signature-base

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.

CHANGELOG

See CHANGELOG.md

Contributing

See all contributors on GitHub.

Please update the CHANGELOG.md and submit a Pull Request on GitHub.

Yara

Install / Use

README